Click here to Skip to main content
15,887,135 members
Search within:


How to avoid AES key disclosure while doing encryption in client side and decryption in server side?
Please Sign up or sign in to vote.
1.00/5 (1 vote)
I want to avoid AES Key disclosure while doing encryption in client side and decryption in server side. I am doing the encryption via javascript and decryption in the server side during login process. I am using aes js file for the same. Functionality is working fine But I am facing AES Key (7061737323313233) value as a vulnerability issue. i tried several ways like fetching from Config and passing to a js file etc. But still the vulnerability is there.
I need a resolution for this or alternate encryption decryption mechanism (Encryption at client level and decryption at server level)

What I have tried:

My javascript to do encryption is as below:
function EncryptAES() {
    var clearpass = document.getElementById('txtPassword').value;
    var key = CryptoJS.enc.Utf8.parse('7061737323313233');
    var iv = CryptoJS.enc.Utf8.parse('7061737323313233);
    var encrypted = CryptoJS.AES.encrypt(CryptoJS.enc.Utf8.parse(clearpass), key,
        {
            keySize: 128 / 8,
            iv: iv,
            mode: CryptoJS.mode.CBC,
            padding: CryptoJS.pad.Pkcs7
        });
  
    document.getElementById('txtPassword').value = encrypted;
}
Posted
Updated 12-Nov-21 5:16am
Add a Solution

2 solutions

You cannot encrypt AES without the same key you need for decryption, regardless of where you encrypt, that will be a vulnerability as the encryptor needs the key in clear to do it's job.

Have you considered Public Key encryption? The public key can be published to your client and used to encrypt the data, but the Private key is needed for decryption and that remains server-side at all times.
Public-key cryptography - Wikipedia[^]
It doesn't matter then if the encrypting key is compromised - it's useless for decryption anyway.
 
Share this answer
 
Posted
Forget "encrypting" the password on the client. Just use HTTPS for your site. That way, all of the communication between your server and your users is protected from eavesdropping and modification:
Troy Hunt: Here's Why Your Static Website Needs HTTPS[^]

And make sure when it gets to your server, the password is being stored correctly:
Secure Password Authentication Explained Simply[^]
Salted Password Hashing - Doing it Right[^]
 
Share this answer
 
Posted
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month
Related Questions
Encrypting password at client side and decrypting at server side
How to Encrypt on Client Side and Decrypt on Server side
encryption and decryption on client side with server integration, how?
Encrypting password at client side and decrypting at server side
AES Encryption on PHP and Decryption in C#
How do I decrypt data from API in client side
How do I install client server software at client side
AES arduino encrypted codes decrypted into C#
server/client aes encrypted communication C#
How to avoid server banner disclosure and ASP.NET version disclosure in ASP.NET with C#?

Advertise
Privacy
Cookies
Terms of Use
Last Updated 12 Nov 2021
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web02 2.8:2024-04-02:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900